<p>On this week’s show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week’s cybersecurity news, including:</p> <ul> <li>Vercel got owned, and there’s a few infostealer and compromised employee dots to connect</li> <li>Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse</li> <li>Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs?</li> <li>The NSA is using Mythos even though the government did that whole Anthropic blacklisting thing</li> <li>And DDos attacks hit a couple of smaller-player socials</li> </ul> <p>This week’s episode is sponsored by Permiso. Ian Ahl chats to Pat about the subtle signals Permiso uses to detect ShinyHunters-style activity in cloud and on-prem environments.</p> <p>This episode is also available on <a href="https://youtu.be/vMqA4giggoM">Youtube</a>.</p> <h3 class="panel-title">Show notes</h3> <ul> <li><a href="https://vercel.com/kb/bulletin/vercel-april-2026-security-incident">Vercel April 2026 Security incident</a></li> <li><a href="https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/">Vercel breach linked to infostealer infection at Context.ai</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/">Vercel confirms breach as hackers claim to be selling stolen data</a></li> <li><a href="https://x.com/mattjay/status/2046222804555608574?s=46&amp;t=VLIuBKdOq3MvRk4IpV-_-A">Matt Johansen: “This is not a good look” | X</a></li> <li><a href="https://www.cybersecuritydive.com/news/nist-vulnerability-analysis-criteria-nvd-cve/817683/">NIST limits vulnerability analysis as CVE backlog swells | Cybersecurity Dive</a></li> <li><a href="https://x.com/CISACyber/status/2046284602218549277">CISA Cyber on X</a></li> <li><a href="https://therecord.media/ransomware-nhs-cyberattack-disruption">Ransomware attack continues to disrupt healthcare in London nearly two years later | The Record from Recorded Future News</a></li> <li><a href="https://cyberscoop.com/lawmakers-ponder-terrorism-designations-homicide-charges-over-hospital-ransomware-attacks/">Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks | CyberScoop</a></li> <li><a href="https://therecord.media/fisa--trump-congress-extension-surveillance">In defeat for Trump, House extends electronic spying program for just 10 days | The Record from Recorded Future News</a></li> <li><a href="https://therecord.media/crypto-north-korea-theft-kelp">Crypto infrastructure company blames $290 million theft on North Korean hackers | The Record from Recorded Future News</a></li> <li><a href="https://arstechnica.com/security/2026/04/russia-friendly-exchange-says-western-special-service-behind-15-million-cyberattack/">US-sanctioned currency exchange says $15 million heist done by &quot;unfriendly states&quot; - Ars Technica</a></li> <li><a href="https://techcrunch.com/2026/04/17/hackers-are-abusing-unpatched-windows-security-flaws-to-hack-into-organizations/">Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch</a></li> <li><a href="https://www.wired.com/story/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox/">Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox | WIRED</a></li> <li><a href="https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon">NSA using Anthropic&#39;s Mythos despite Defense Department blacklist</a></li> <li><a href="https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook">Beyond the breach: inside a cargo theft actor’s post-compromise playbook | Proofpoint US</a></li> <li><a href="https://www.straitstimes.com/world/middle-east/scam-messages-offering-ships-safe-transit-through-hormuz-security-firm-warns">Beware scam messages offering ships safe transit through Hormuz Strait, says security firm | The Straits Times</a></li> <li><a href="https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms">New Jersey men given lengthy sentences for running North Korean laptop farms | The Record from Recorded Future News</a></li> <li><a href="https://arunninghacker.substack.com/p/turns-out-were-not-alone">Turns Out We’re Not Alone - Volodymyr Styran</a></li> <li><a href="https://www.cybersecuritydive.com/news/ddos-service-takedowns-arrests-operation-poweroff/817814/">US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive</a></li> <li><a href="https://therecord.media/bluesky-blames-app-outage-on-ddos">Bluesky blames app outage on ‘sophisticated’ DDoS attack | The Record from Recorded Future News</a></li> <li><a href="https://techcrunch.com/2026/04/20/mastodon-says-its-flagship-server-was-hit-by-a-ddos-attack/">Mastodon says its flagship server was hit by a DDoS attack | TechCrunch</a></li> <li><a href="https://www.kuban.kp.ru/online/news/6926840/">An IT expert explained under what conditions using a VPN can cause a smartphone to explode</a></li> </ul>